https://community.splunk.com/t5/Getting-Data-In/Casing-and-FQDNs-means-triple-host-entries/m-p/338644#M62509 <P>We feel your pain. Also, please note, in some types of events we tend to end up with the IP address standing in place of a missing hostname, so you can't grab everything to the left of the period until after you've checked that the entire hostname isn't of the format of an IP. Usually, we end up using upper() and some rexes to make sure we are getting the best guess at the short host. </P> <PRE><CODE>| rex field=myhostname "^(?&lt;shost&gt;\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|[^.\]*)" | eval shost=upper(coalesce(shost, myhostname, "((MISSING))" )) </CODE></PRE> <P>The above grabs an IP address if it starts out the field (imprecise IP-grabbing rex for demo purposes only) then grabs everything to the left of the first period... which if there is no period, means the whole field. The only failure in the rex is if the first character is an actual period, in which case the <CODE>eval/coalesce</CODE> puts the invalid hostname back into place before translating the whole thing to upper case.</P> <P>General notes - 1) searches are case-insensitive, but field values are case-sensitive. 2) Field aliasing is your friend. </P> Mon, 31 Jul 2017 16:22:29 GMT DalJeanis 2017-07-31T16:22:29Z https://community.splunk.com/t5/Getting-Data-In/Casing-and-FQDNs-means-triple-host-entries/m-p/338642#M62507 <P>I have quite a few hosts that are listed multiple times in Splunk. For an example:</P> <P><CODE>HOST01</CODE><BR /> <CODE>host01</CODE><BR /> <CODE>host01.fqdn</CODE></P> <P>I'm relatively new to Splunk. What are my options for merging those entries?</P> Mon, 31 Jul 2017 15:20:20 GMT https://community.splunk.com/t5/Getting-Data-In/Casing-and-FQDNs-means-triple-host-entries/m-p/338642#M62507 CMSchelin 2017-07-31T15:20:20Z https://community.splunk.com/t5/Getting-Data-In/Casing-and-FQDNs-means-triple-host-entries/m-p/338643#M62508 <P>The best thing to do is to have each forwarder report (self-identify) the way that you prefer. This is controlled in <CODE>server.conf</CODE> on the forwarder so read the documentation on that. This effects NEW data but old data will stay jumbled so you can do something like this before you aggregate your data with <CODE>stats</CODE> or whatever:</P> <PRE><CODE>... | rex field=host mode=sed "s/\..*$//" | eval host=lower(host) ... </CODE></PRE> Mon, 31 Jul 2017 16:07:39 GMT https://community.splunk.com/t5/Getting-Data-In/Casing-and-FQDNs-means-triple-host-entries/m-p/338643#M62508 woodcock 2017-07-31T16:07:39Z https://community.splunk.com/t5/Getting-Data-In/Casing-and-FQDNs-means-triple-host-entries/m-p/338644#M62509 <P>We feel your pain. Also, please note, in some types of events we tend to end up with the IP address standing in place of a missing hostname, so you can't grab everything to the left of the period until after you've checked that the entire hostname isn't of the format of an IP. Usually, we end up using upper() and some rexes to make sure we are getting the best guess at the short host. </P> <PRE><CODE>| rex field=myhostname "^(?&lt;shost&gt;\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}|[^.\]*)" | eval shost=upper(coalesce(shost, myhostname, "((MISSING))" )) </CODE></PRE> <P>The above grabs an IP address if it starts out the field (imprecise IP-grabbing rex for demo purposes only) then grabs everything to the left of the first period... which if there is no period, means the whole field. The only failure in the rex is if the first character is an actual period, in which case the <CODE>eval/coalesce</CODE> puts the invalid hostname back into place before translating the whole thing to upper case.</P> <P>General notes - 1) searches are case-insensitive, but field values are case-sensitive. 2) Field aliasing is your friend. </P> Mon, 31 Jul 2017 16:22:29 GMT https://community.splunk.com/t5/Getting-Data-In/Casing-and-FQDNs-means-triple-host-entries/m-p/338644#M62509 DalJeanis 2017-07-31T16:22:29Z